Inspection

TLS Inspection + Fingerprinting

Server Name, application-layer protocol, and TLS client fingerprint extracted inline — with optional forward-proxy decryption under a short-lived internal certificate authority.

GA65K fingerprints

HOW IT WORKS

Walk through a single flow

1The Client Hello is parsed on the fast path without allocating a TLS library context.
2Fingerprints — JA3, JA3S, JA4 — are derived from cipher suite order, extensions, and elliptic curves.
3Policies match on Server Name, ALPN, minimum TLS version, or raw fingerprint hash.
4Forward-proxy posture introduces a short-lived certificate authority for inbound inspection when required.

UNDER THE HOOD

Technical notes

Fingerprint storage

A purpose-built hash table holds tens of thousands of fingerprint entries with open addressing. Lists swap atomically when threat intelligence updates — no packets dropped, no restart.

Wildcard domain matching

Domain patterns share memory in a suffix trie with prefix compression. Match cost stays logarithmic even with many granular overrides.

Other capabilities that plug in here

Inspection

L7 App Classification

200+ application protocols, category pairs, encrypted traffic heuristics — all on the fast path.

Security

Feed-Driven Threat Intelligence

IP, domain, URL, and TLS-fingerprint blocklists. Suffix-trie matching. Atomic hot-swap via control socket.